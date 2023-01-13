



This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD. Once configured, users can sign in to Azure AD using their Google Workspace credentials.

prerequisite

To configure Google Workspace as an IdP in Azure AD, you need the following prerequisites:

Azure AD tenant with one or more custom DNS domains (i.e. domains not of the form *.onmicrosoft.com) Google Workspace using an account with access to Azure AD using an account with the Global Administrator role Access to super admin rights

To test federation, you need the following prerequisites:

User-created Google Workspace environment

important

Users must have an email address defined in Google Workspace that is used to match users in Azure AD.

Individual Azure AD accounts already created: Each Google Workspace user must have a matching account defined in Azure AD. These accounts are typically created by automated solutions such as: School Data Sync (SDS) A PowerShell script that calls the Microsoft Graph API provisioning tool provided by the Azure AD Connect sync IdP for environments with on-premises AD DS – this functionality is provided by.Google Workspace with automatic provisioning Configure Google Workspace as an IdP in Azure AD

Log in to the Google Workspace admin console with an account with super admin privileges

[アプリ]>[Web およびモバイル アプリ]Choose

[アプリの追加]>[アプリの検索]and search for microsoft.

On the search results page, hover over Microsoft Office 365 – Web (SAML) App and click[選択]Choose.

[Google ID プロバイダーの詳細]on the page[メタデータのダウンロード]and make a note of where the IdP metadata (GoogleIDPMetadata.xml) file is stored, as it will be used to set up Azure AD later.

Service provider details page

Select the optional signed response Make sure the Name ID format is set to PERSISTENT Depending on how the Azure AD user was provisioned in Azure AD, you may need to adjust the Name ID mapping there is. For more information, see (written article). If you’re using Google auto-provisioning,[基本情報]>[メインのメール]and select[続行]Choose.

[属性マッピング]On the page, map Google attributes to Azure AD attributes

Google Directory Attributes Azure AD Attributes Basic Information: Primary Mail App Attributes: IDPEmail

important

You’ll need to make sure the email in your Azure AD user account matches the one in Google Workspace.

Choose your finish

Now that the app is configured, we need to enable it for users in Google Workspace.

Sign in to the Google Workspace admin console with an account that has Super Admin privileges[アプリ]>[ウェブおよびモバイル アプリ]Choose[Microsoft Office 365]Choose[ユーザー アクセス]Choose[すべてのユーザーに対してオン]Select >[保存]Configure Azure AD as a Service Provider (SP) for Google Workspace

Configuring Azure AD consists of changing the authentication method for your custom DNS domain. This configuration can be done using PowerShell. Using the IdP metadata XML file downloaded from Google Workspace, modify the $DomainName variable in the following script to match your environment and run it in his elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the Global Administrator role.

Install-Module -Name MSOnline Import-Module MSOnline $DomainName = “ ” $xml = [Xml](Get-Content GoogleIDPMetadata.xml) $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split() $issuerUri = $xml.EntityDescriptor.entityID $logOnUri = $xml.EntityDescriptor.IDPSSODescriptor. Single Sign-On Service | ? { $_.Binding.Contains(‘Redirect’) } | % { $_.Location } $LogOffUri = “https://accounts.google.com/logout” $brand = “Google Workspace Identity ” Connect-MsolService $DomainAuthParams = @{ DomainName = $DomainName Authentication = “Federated” IssuerUri = $issuerUri FederationBrandName = $brand ActiveLogOnUri = $logOnUri PassiveLogOnUri = $logOnUri LogOffUri = $LogOffUri SigningCertificate = $cert PreferredAuthenticationProtocol = “SAMLP” } Set- MsolDomainAuthentication @DomainAuthParams

To verify that your configuration is correct, you can use the following PowerShell command:

Get-MsolDomainFederationSettings -DomainName $DomainName ActiveLogOnUri : https://accounts.google.com/o/saml2/idp?

DefaultInteractiveAuthenticationMethod : FederationBrandName : Google Workspace ID IssuerUri : https://accounts.google.com/o/saml2?idpid=

LogOffUri : https://accounts.google.com/logout MetadataExchangeUri : NextSigningCertificate : OpenIdConnectDiscoveryEndpoint : PassiveLogOnUri : https://accounts.google.com/o/saml2/idp?idpid=

Signing certificate:

SupportsMfa: Verify federated authentication between Google Workspace and Azure AD

From your private browser session, go to https://portal.azure.com and sign in with your Google Workspace account.

Username uses the email defined in Google Workspace User is redirected to Google Workspace to sign in After Google Workspace authentication, user is redirected to Azure AD to sign in

